1 / 40

Educause Task Force on System Security

Educause Task Force on System Security. Dan Updegrove, University of Texas at Austin H. Morrow Long, Yale University NERCOMP 2001, Worcester MA March 19, 2001 <www.educause.edu/security>. Outline. Some history The current situation “Simple” steps towards security

wallace-carter
Télécharger la présentation

Educause Task Force on System Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Educause Task Force on System Security Dan Updegrove, University of Texas at Austin H. Morrow Long, Yale University NERCOMP 2001, Worcester MA March 19, 2001 <www.educause.edu/security> EDUCAUSE Systems Security Task Force - March 19, 2001

  2. Outline • Some history • The current situation • “Simple” steps towards security • One university’s response • Other security initiatives • SANS “Top 10 List” of vulnerabilities • The EDUCAUSE Task Force • How you can participate EDUCAUSE Systems Security Task Force - March 19, 2001

  3. Some Recent Internet History • 1986 – Major NSF funding for national backbone & regional supercomputer centers • 1988 – Robert Morris & the Internet Worm • 1988 – Creation of CERT at CMU • 1989 – The Cornell Commission report • 1989 – Clifford Stoll’s The Cuckoo’s Egg • 1991 – CIX, commercial use, & Gopher EDUCAUSE Systems Security Task Force - March 19, 2001

  4. Internet History, cont’d • 1993 – Mosaic browser released by UIUC • 1993-4 ISP Sniffing attacks (PANIX, NearNet) • 1994-5 Kevin Mitnick demos TCP Hijacking. • 1995 – National backbone privatized • 1995 – SATAN released by Farmer & Venema • 1996 – PANIX, Internet Chess Server, and other web sites shut down by SYN attacks. • 1996 – Internet 2 consortium formed EDUCAUSE Systems Security Task Force - March 19, 2001

  5. 2000-2001 Academic InfoSec • Feb – Distributed Denial of Service (DDoS) attacks bring down key .COM sites; university sites implicated (UC Davis, UCLA, Stanford, etc.) • June – SANS Top Ten list released. • June-July – Univ. of Washington Medical Center intrusion. 4000 medical records involved. No firewall protecting server. • Feb 2001 – Indiana University Bursar server with anon FTP enabled and student records. • March – 40+ E-Commerce NT/IIS servers hacked from E. Europe. Credit card #s. FBI NIPC alert. EDUCAUSE Systems Security Task Force - March 19, 2001

  6. The Current Situation • The Internet is a world-wide, increasingly mission-critical infrastructure • Internet’s underlying structure, protocols, & governance are still primarily open • Many vendors ship systems w/ insecure configs (NT, Linux, W2K, Unixes, IIS ) • Massive CPU power & bandwidth available to crackers as well as scientists, e-commerce • Many college & university networks are insecure EDUCAUSE Systems Security Task Force - March 19, 2001

  7. Information Security in HE • Research universities: deployment of workstations & servers by researchers whose talents are usually focused elsewhere • Smaller institutions: dearth of tech skills • Dorm networking: little adult supervision • Too few security experts; weak tools;most institutions have no InfoSec office. • Few policies regarding systems security EDUCAUSE Systems Security Task Force - March 19, 2001

  8. Information Security in US HE • 3500+ Colleges and Universities • > 1000 Community colleges • < 100 major research universities • 125+ University Medical Schools • 400 Teaching Hospitals • 150+ Institutional members of Internet2 EDUCAUSE Systems Security Task Force - March 19, 2001

  9. Targets of Opportunity on US HE Computer Networks • Sensitive Data • Credit Card #s, ACH (NACHA) bank #s • patient records (SSN) • student records (SSN) • institution financial records • Investment records • donor records • research data EDUCAUSE Systems Security Task Force - March 19, 2001

  10. Why US HE Computer Networks are attractive targets • Platforms for launching attacks • Wired dorms (insecure Linux PCs, PC Trojans) • High bandwidth Internet (Fract T3, T3, T3+) • High computing capacity (scientific computing clusters, even web servers, etc.). • “Open” network security environment (no firewalls or only “light” filtering routers on many high bandwidth WANs and LANs) • Trust relationships between departments at various Universitiess for research (e.g. Physics) • Univ research lab computers are often insecure and unmanaged. EDUCAUSE Systems Security Task Force - March 19, 2001

  11. Unique Challenges to implementing Information Security in Higher Ed • Academic “Culture” and tradition of open and free networking • Lack of control over users • Decentralization (no mainframe anymore) • Lack of financial resources • Creative Network Anarchy – anyone can attach anything to the network • IT has not always been central to institutional mission -- changing attitudes and getting “buy in” requires politics and leadership. EDUCAUSE Systems Security Task Force - March 19, 2001

  12. What should US HE IT be doing W.R.T. Information Security • Investigating network security methods. • Investigating strong authentication methods (e.g. smart cards, tokens). • Evaluating “best practices” in: • Higher Education • Corporations • Government • Military • Developing common recommended policies. EDUCAUSE Systems Security Task Force - March 19, 2001

  13. Trends in Academic InfoSec • E-Commerce site threaten litigation against future DDoS sites. Liability for negligence? • Insurance companies begin to rewrite liability policies, separate ‘cyber’ policies to require info security vulnerability assessments & changes. • Funding agencies to require firewalls, security? • HIPAA is a “forcing function” in academic Medical Centers. • FERPA, COPPA, DMCA, Privacy legislation. • If HE InfoSec doesn’t improve, will more federal legislation be far behind? EDUCAUSE Systems Security Task Force - March 19, 2001

  14. InfoSec Trends Elsewhere • Some of the K-12 school system networks are the only sites (in the US) which have worse network and system security than .EDU sites. • Information security at State gov. agencies and municipal goverments is a mixed bag. • Outside US some academic institutions are more tightly controlled (e.g. Internet access is severely restricted), some not. EDUCAUSE Systems Security Task Force - March 19, 2001

  15. InfoSec Trends Elsewhere • .MIL sites take steps to secure data and servers (Mac web servers, data isolation/classification). Broke initial ground in IDS (Intrusion Detection Systems). • .GOV – NIST has released draft guidelines/recommendations for info security to be implemented at Federal Government agencies. EDUCAUSE Systems Security Task Force - March 19, 2001

  16. InfoSec Trends Elsewhere • .COM sites – Some web sites have poor security (even those outsourced), some (e.g. financial) strive to be state of the art. • Insurance/auditors requiring security assessments for policies. • BS 7799 / ISO/IEC 17799-1 InfoSec Mgt stds • CISSP / CISA / SANS GIAC / Vendor (Microsoft/Cisco/Checkpoint) certificationsof Information Security personnel EDUCAUSE Systems Security Task Force - March 19, 2001

  17. Corporate InfoSec Trends, (relatively rare in US HE) • Firewalls, proxies, user access control • Network monitoring, bandwidth management • Extensive logging, logfile analysis • IDS – Intrusion Detection Systems • VPNs (Virtual Private Networks) • PPTP, L2TP, IPSEC • Strong Authentication – PKI, Smartcards • Vulnerability scanning (internal, external) • Change Control / Management • Managed Security Services (e.g. outsourced) EDUCAUSE Systems Security Task Force - March 19, 2001

  18. Simple Steps to Info Security • Accept/Understand the dangers (current threat env.) • Inventory your critical systems (Virginia Tech Excel) • Risk Mgt: Assess/prioritize the risks to these systems • Secure critical (and legally mandated systems) by patching/hardening the OS and applications • Move critical systems into data centers where they will be physically and environmentally secure as well as under pro system admin. • Use internal firewalls to secure data center server subnets (the protected enclave model) and other critical sites -- even where perimeter firewall(s) exists. • Scan and fix your systems – prioritize. EDUCAUSE Systems Security Task Force - March 19, 2001

  19. More “Simple Steps” • Create and fund an InfoSec Office(r) • Empower the InfoSec Office(r) • Authorize & fund network scanning • Authorize “pulling the plug” • Create policies - particularly regarding calling law enforcement – legal advice. • Restrict NT domain administration severely (e.g to InfoSec) • Centralized 7x24 hour production operations • Professional system administration • Network partitioning (admin servers, DMZ, residential colleges, student clusters/labs, research labs, etc.) via routers, firewalls, subnets / VLANs, separate Internet feeds. EDUCAUSE Systems Security Task Force - March 19, 2001

  20. Less “Simple Steps”  • Abolish or strongly discourage “insecure” network protocols (telnet, ftp, rlogin/rsh, std HTTP forms for sensitive data) • Encourage or require encryption for network protocols (passwords, data streams / stores) • Attempt to abolish use of Social Security # as a unique identifier as well as as a PIN/password. • Require/encourage strong authentication (good passwords, smartcards or physical tokens, biometrics, Kerberos or X.509 certificates) particularly for privileged access and sensitive important applications. • Conduct a massive education campaign – give examples of incidents and “bad practices”. EDUCAUSE Systems Security Task Force - March 19, 2001

  21. Lesser “Simple Steps”  • Provide dis/incentives (sticks & carrots) to shift the existing cost/benefit security calculus. • Flip “allow everything / deny by exception” vs. “deny everything / allow …” net access rule. • Put critical systems & net under change mgt. • Install Tripwire™, ISS System Scanner™ or similar systems (AIDE) on critical systems • so that you know when they have changed (andyou have been hacked) • Get Anti-Virus software installed campus-wide. EDUCAUSE Systems Security Task Force - March 19, 2001

  22. Least “Simple Steps”  • Manage passwords • Require strength and changing (30-90 days) • Expect resistance (do you have political will) • Manage vendor upgrades and “hot fixes” • Microsoft “hot fixes” for NT, W2K, IIS are out of control and many believe unmanagable. • Secure software obtained from Vendors • Tough because most application software is shrink-wrapped or outsourced. • But you can create alternate ‘secure’ builds of software such as Red Hat Linux, Unix, NT, Windows 2000. EDUCAUSE Systems Security Task Force - March 19, 2001

  23. One University’s Response • Yale University: 11,000 students, 11,000 faculty & staff; 16,000 hosts; wired dorms; 500 modem lines; I1 & I2; wireless pilots • Information Security Officer hired in 1997; two additional staff added by 1999, one focused on admin, one on research/students • This office is extremely busy! EDUCAUSE Systems Security Task Force - March 19, 2001

  24. One University, cont’d • Internet Security Systems (ISS) licensed 1998 • Found numerous vulnerabilities, many severe • Some systems admins grateful for the info; some overwhelmed by the tasks ahead • One user complaint when home net scanned • Student paper assumed search for MP3s EDUCAUSE Systems Security Task Force - March 19, 2001

  25. One University, cont’d • IT Appropriate Use Policy amended to authorize scans, even for personal machines • Automated report dist by running a ‘.BAT’ script of NT cmd line ISS scanner, PGP-encrypting, & sending E-mail to dept admins • Distribute ISS s/w & license keys so depts can scan themselves, perform repairs. EDUCAUSE Systems Security Task Force - March 19, 2001

  26. One University, cont’d • 2nd data center w/ mirrored disk for disaster recovery • Extensive use of IBM’s ADSM for backup • Firewalls: Internet gateway & Data Centers • System admin hygiene, SSH, et al. • Eliminated insecure Telnet/FTP to central servers, distributed SSH and other tools • Promotion of encryption (more policy issues) • VPN server set up and publicized • Campus-wide Anti-Virus software license obtained, software distributed. EDUCAUSE Systems Security Task Force - March 19, 2001

  27. Other Security Initiatives • Computer Security Institute • Forum of Incident Response & Security Teams • System Administrators Guild of USENIX • USENIX Security Conference • CERT Coordination Center • NIST Computer Security Division EDUCAUSE Systems Security Task Force - March 19, 2001

  28. Other Initiatives (cont’d) • Commercial & public domain software • CREN Certificate Authority; Net@Edu PKI working group; Internet 2 PKI Labs, Internet2 Security Working Group • SANS -- System Administration, Networking, & Security Institute • Center for Internet Security EDUCAUSE Systems Security Task Force - March 19, 2001

  29. SANS Top 10 Vulnerabilities • BIND weaknesses: nxt, qinv & in.named allow immediate root compromise • Vulnerable CGI programs & app extensions • RPC weaknesses in ToolTalk, Calendar Manager, rpc.statd allow immed root cmp • RDS security hold in Microsoft’s Internet Information Server • Sendmail buffer overflow, pipe attacks, MIMEbo allow immed root compromise EDUCAUSE Systems Security Task Force - March 19, 2001

  30. SANS Top 10, cont’d • Sadmind & mountd • Global file sharing, inappropriate info sharing via NetBIOS, UNIX NFS, MacOS • User Ids, esp root/admin weak passwords • IMAP & POP buffer overflow, misconfig • Default SNMP community strings set to “public” & “private” EDUCAUSE Systems Security Task Force - March 19, 2001

  31. SANS Top 10, cont’d • ISS, other tools can scan for them • Eliminating top 10 not sufficient • Top 10 a moving target • But how many institutions have got these ten vulnerabilities under control? • And couldn’t we make more progress if we engaged in joint action? EDUCAUSE Systems Security Task Force - March 19, 2001

  32. SANS SSH.COM SSH for Educational Institutions • SANS worked with SSH.COM to obtain free SSH2 implementations for US educational institutions. • http://www.ssh.com/license.html • http://www.ssh.com/commerce/non-commercial_site_license_request.html • http://www.ssh.com/about/press/2000/release15082000.html EDUCAUSE Systems Security Task Force - March 19, 2001

  33. FBI NIPC/Microsoft IIS Alert • MS99-025, Unauthorized Access to IIS Servers Through ODBC Data Access with RDS. • MS00-014, SQL Query Abuse. • MS00-095, Registry Permissions. • MS00-086, Web Server File Request Parsing. EDUCAUSE Systems Security Task Force - March 19, 2001

  34. Educause Task Force • Announced to all member reps in July email from Mark Luker, VP for Networking • Co-chaired by Gordon Wishon, Associate VP & Associate Vice Provost for IT, Georgia Tech; & Dan Updegrove, VP for Information Technology, University of Texas at Austin • Committee co-chairs named EDUCAUSE Systems Security Task Force - March 19, 2001

  35. TF Committees - 1 • Detection, prevention, & response to attacks • Jack Suess, CIO, University of Maryland, Baltimore County • Steve Hansen, Security Policy Officer, Stanford EDUCAUSE Systems Security Task Force - March 19, 2001

  36. TF Committees - 2 • Campus Policies • Mark S. Bruhn, IT Policy Officer, Indiana U • Rodney Petersen, Dir, Policy & Planning, U of Maryland, College Park EDUCAUSE Systems Security Task Force - March 19, 2001

  37. TF Committees - 3 • Education & awareness • Michelle Norin, Director for IT Outreach, University of Arizona (norin@u.arizona.edu) • Gordon Wishon, VP & Vice Provost for IT, Georgia Tech EDUCAUSE Systems Security Task Force - March 19, 2001

  38. TF Committees - 4 • Emerging Technologies • Clifford Collins, Ohio Academic & Research Network (OARnet) • Ken Klingenstein, University of Colorado & Chief Technologist/Middleware Project Director, Internet 2 EDUCAUSE Systems Security Task Force - March 19, 2001

  39. EDUCAUSE Initiatives • Education/Awareness – Speakers; Developing or obtaining high quality seminar materials; AN-MSI information security tutorials (e.g. CA Native American C.C.). • “Best” Practices Security Recommendations - publish • Tools – Vulnerability Scanners (commercial and non-commercial), DDoS zombie detectors, patch tools, etc. • Federal (NSF) grant proposal? • Vendor contacts / potential group purchase discounts. • PKI (HEPKI-PAG, HEPKI-TAG) – Public Key Infra • Obtaining security consulting/assessment/emergency notification (e.g. Internet 911) services for academia? EDUCAUSE Systems Security Task Force - March 19, 2001

  40. How You Can Participate • Welcome: info security officers, network & systems experts, policy specialists, attorneys, vendors, -- even CIOs! • Meetings, email, website, white papers • <http://www.educause.edu/security> EDUCAUSE Systems Security Task Force - March 19, 2001

More Related